From 55b0bf0d3a33277ea1fddc83531867b6736b29ba Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Tue, 12 Nov 2019 23:43:29 -0800 Subject: [PATCH] add event handler for NamespacedPolicyViolation --- .../kyverno/v1alpha1/expansion_generated.go | 40 ++++- pkg/policy/controller.go | 6 + pkg/policy/namespacedpv.go | 160 ++++++++++++++++++ 3 files changed, 205 insertions(+), 1 deletion(-) create mode 100644 pkg/policy/namespacedpv.go diff --git a/pkg/client/listers/kyverno/v1alpha1/expansion_generated.go b/pkg/client/listers/kyverno/v1alpha1/expansion_generated.go index 546323f997..eaae8342e7 100644 --- a/pkg/client/listers/kyverno/v1alpha1/expansion_generated.go +++ b/pkg/client/listers/kyverno/v1alpha1/expansion_generated.go @@ -38,8 +38,8 @@ type PolicyViolationListerExpansion interface{} // PolicyListerExpansion allows custom methods to be added to // PolicyLister. type ClusterPolicyListerExpansion interface { - // TODO(shuting): change to getpolicyforclusterpolicyviolation? GetPolicyForPolicyViolation(pv *kyverno.ClusterPolicyViolation) ([]*kyverno.ClusterPolicy, error) + GetPolicyForNamespacedPolicyViolation(pv *kyverno.NamespacedPolicyViolation) ([]*kyverno.ClusterPolicy, error) ListResources(selector labels.Selector) (ret []*v1alpha1.ClusterPolicy, err error) } @@ -131,3 +131,41 @@ func (pl *clusterPolicyLister) GetPolicyForPolicyViolation(pv *kyverno.ClusterPo return policies, nil } + +func (pl *clusterPolicyLister) GetPolicyForNamespacedPolicyViolation(pv *kyverno.NamespacedPolicyViolation) ([]*kyverno.ClusterPolicy, error) { + if len(pv.Labels) == 0 { + return nil, fmt.Errorf("no Policy found for PolicyViolation %v because it has no labels", pv.Name) + } + + pList, err := pl.List(labels.Everything()) + if err != nil { + return nil, err + } + + var policies []*kyverno.ClusterPolicy + for _, p := range pList { + policyLabelmap := map[string]string{"policy": p.Name} + + ls := &metav1.LabelSelector{} + err = metav1.Convert_Map_string_To_string_To_v1_LabelSelector(&policyLabelmap, ls, nil) + if err != nil { + return nil, fmt.Errorf("failed to generate label sector of Policy name %s: %v", p.Name, err) + } + selector, err := metav1.LabelSelectorAsSelector(ls) + if err != nil { + return nil, fmt.Errorf("invalid label selector: %v", err) + } + // If a policy with a nil or empty selector creeps in, it should match nothing, not everything. + if selector.Empty() || !selector.Matches(labels.Set(pv.Labels)) { + continue + } + policies = append(policies, p) + } + + if len(policies) == 0 { + return nil, fmt.Errorf("could not find Policy set for Namespaced policy Violation %s with labels: %v", pv.Name, pv.Labels) + } + + return policies, nil + +} diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go index 96fc8396b6..e2ee5266bf 100644 --- a/pkg/policy/controller.go +++ b/pkg/policy/controller.go @@ -131,6 +131,12 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset, client *client. DeleteFunc: pc.deletePolicyViolation, }) + pvInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: pc.addNamespacedPolicyViolation, + UpdateFunc: pc.updateNamespacedPolicyViolation, + DeleteFunc: pc.deleteNamespacedPolicyViolation, + }) + pc.enqueuePolicy = pc.enqueue pc.syncHandler = pc.syncPolicy diff --git a/pkg/policy/namespacedpv.go b/pkg/policy/namespacedpv.go new file mode 100644 index 0000000000..4d0ce64063 --- /dev/null +++ b/pkg/policy/namespacedpv.go @@ -0,0 +1,160 @@ +package policy + +import ( + "reflect" + + "github.com/golang/glog" + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + cache "k8s.io/client-go/tools/cache" +) + +func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) { + pv := obj.(*kyverno.NamespacedPolicyViolation) + + if pv.DeletionTimestamp != nil { + // On a restart of the controller manager, it's possible for an object to + // show up in a state that is already pending deletion. + pc.deletePolicyViolation(pv) + return + } + + // generate labels to match the policy from the spec, if not present + // if updatePolicyLabelIfNotDefined(pc.pvControl, nil) { + // return + // } + + // If it has a ControllerRef, that's all that matters. + if controllerRef := metav1.GetControllerOf(pv); controllerRef != nil { + p := pc.resolveControllerRef(controllerRef) + if p == nil { + return + } + glog.V(4).Infof("Namespaced policy violation %s added.", pv.Name) + pc.enqueuePolicy(p) + return + } + + // Otherwise, it's an orphan. Get a list of all matching Policies and sync + // them to see if anyone wants to adopt it. + ps := pc.getPolicyForNamespacedPolicyViolation(pv) + if len(ps) == 0 { + // there is no cluster policy for this violation, so we can delete this cluster policy violation + glog.V(4).Infof("PolicyViolation %s does not belong to an active policy, will be cleanedup", pv.Name) + if err := pc.pvControl.DeletePolicyViolation(pv.Name); err != nil { + glog.Errorf("Failed to deleted policy violation %s: %v", pv.Name, err) + return + } + glog.V(4).Infof("PolicyViolation %s deleted", pv.Name) + return + } + glog.V(4).Infof("Orphan Policy Violation %s added.", pv.Name) + for _, p := range ps { + pc.enqueuePolicy(p) + } +} + +func (pc *PolicyController) updateNamespacedPolicyViolation(old, cur interface{}) { + curPV := cur.(*kyverno.NamespacedPolicyViolation) + oldPV := old.(*kyverno.NamespacedPolicyViolation) + if curPV.ResourceVersion == oldPV.ResourceVersion { + // Periodic resync will send update events for all known Policy Violation. + // Two different versions of the same replica set will always have different RVs. + return + } + + // generate labels to match the policy from the spec, if not present + // if updatePolicyLabelIfNotDefined(pc.pvControl, curPV) { + // return + // } + + curControllerRef := metav1.GetControllerOf(curPV) + oldControllerRef := metav1.GetControllerOf(oldPV) + controllerRefChanged := !reflect.DeepEqual(curControllerRef, oldControllerRef) + if controllerRefChanged && oldControllerRef != nil { + // The ControllerRef was changed. Sync the old controller, if any. + if p := pc.resolveControllerRef(oldControllerRef); p != nil { + pc.enqueuePolicy(p) + } + } + // If it has a ControllerRef, that's all that matters. + if curControllerRef != nil { + p := pc.resolveControllerRef(curControllerRef) + if p == nil { + return + } + glog.V(4).Infof("PolicyViolation %s updated.", curPV.Name) + pc.enqueuePolicy(p) + return + } + + // Otherwise, it's an orphan. If anything changed, sync matching controllers + // to see if anyone wants to adopt it now. + labelChanged := !reflect.DeepEqual(curPV.Labels, oldPV.Labels) + if labelChanged || controllerRefChanged { + ps := pc.getPolicyForNamespacedPolicyViolation(curPV) + if len(ps) == 0 { + // there is no cluster policy for this violation, so we can delete this cluster policy violation + glog.V(4).Infof("PolicyViolation %s does not belong to an active policy, will be cleanedup", curPV.Name) + if err := pc.pvControl.DeletePolicyViolation(curPV.Name); err != nil { + glog.Errorf("Failed to deleted policy violation %s: %v", curPV.Name, err) + return + } + glog.V(4).Infof("PolicyViolation %s deleted", curPV.Name) + return + } + glog.V(4).Infof("Orphan PolicyViolation %s updated", curPV.Name) + for _, p := range ps { + pc.enqueuePolicy(p) + } + } +} + +func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) { + pv, ok := obj.(*kyverno.NamespacedPolicyViolation) + // When a delete is dropped, the relist will notice a PolicyViolation in the store not + // in the list, leading to the insertion of a tombstone object which contains + // the deleted key/value. Note that this value might be stale. If the PolicyViolation + // changed labels the new Policy will not be woken up till the periodic resync. + if !ok { + tombstone, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + glog.Infof("Couldn't get object from tombstone %#v", obj) + return + } + pv, ok = tombstone.Obj.(*kyverno.NamespacedPolicyViolation) + if !ok { + glog.Infof("Couldn't get object from tombstone %#v", obj) + return + } + } + controllerRef := metav1.GetControllerOf(pv) + if controllerRef == nil { + // No controller should care about orphans being deleted. + return + } + p := pc.resolveControllerRef(controllerRef) + if p == nil { + return + } + glog.V(4).Infof("PolicyViolation %s deleted", pv.Name) + pc.enqueuePolicy(p) +} + +func (pc *PolicyController) getPolicyForNamespacedPolicyViolation(pv *kyverno.NamespacedPolicyViolation) []*kyverno.ClusterPolicy { + policies, err := pc.pLister.GetPolicyForNamespacedPolicyViolation(pv) + if err != nil || len(policies) == 0 { + return nil + } + // Because all PolicyViolations's belonging to a Policy should have a unique label key, + // there should never be more than one Policy returned by the above method. + // If that happens we should probably dynamically repair the situation by ultimately + // trying to clean up one of the controllers, for now we just return the older one + if len(policies) > 1 { + // ControllerRef will ensure we don't do anything crazy, but more than one + // item in this list nevertheless constitutes user error. + glog.V(4).Infof("user error! more than one policy is selecting policy violation %s with labels: %#v, returning %s", + pv.Name, pv.Labels, policies[0].Name) + } + return policies +}